.htaccess rules broken since yarn.lock got added

Created on 14 December 2022, over 1 year ago

Updated 27 October 2023, 8 months ago

Follow-up to #3308369: Block access to yarn.lock and package.json →

Problem/Motivation

#2332029: Add test coverage for .htaccess rules → added test coverage to ensure that files with certain extensions cannot be accessed through the browser. However, extending this coverage was missed in #3308369: Block access to yarn.lock and package.json → .
It turns out that not only tests for the two new files are missing, but the functionality for yarn.lock seems broken.

Proposed resolution

Fix missing coverage for yarn.lock and package.json.
Fix functionality for yarn.lock.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

🐛 Bug report

Status

Fixed

Version

10.1 ✨

Component

Base →

Last updated about 3 hours ago

Maintained by
🇺🇸United States @effulgentsia
🇬🇧United Kingdom @catch
🇬🇧United Kingdom @alexpott
🇦🇺Australia @larowlan
🇺🇸United States @bnjmnm
🇫🇷France @nod_
🇪🇸Spain @ckrina
🇬🇧United Kingdom @justafish

Created by

🇳🇱Netherlands Eric_A

Live updates comments and jobs are added and updated live.

Security
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment 8 months ago →

🇫🇷France O'Briat Nantes

This should be send to nginx to update their page about drupal:https://www.nginx.com/resources/wiki/start/topics/recipes/drupal/

Here's the fix for nginx:

# Protect files and directories from prying eyes.
location ~* \.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config|yarn\.lock|package\.json)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$ {
    deny all;
    return 404;
}

|yarn\.lock|package\.json was added just after config

contrib.social Blog FAQ Discussions

Production build 0.69.0 2024